Information Exposure Affecting Open this link in a new tab package, versions <0.113.0

  • Attack Complexity


  • Scope


  • Confidentiality


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    18 May 2020

  • disclosed

    18 May 2020

  • credit


Introduced: 18 May 2020

CWE-200 Open this link in a new tab

How to fix?

Upgrade to version 0.113.0 or higher.

Overview is an open source implementation of Server-Side Header Bidding.

Affected versions of this package are vulnerable to Information Exposure. Specifically, privacy/ccpa/policy.go and privacy/gdpr/policy.go include code that attempts to generate JSON by concatenating strings. If the us_privacy or consent fields contain the character ", this can produce malformed JSON, or JSON with an unintended structure. An attacker could exploit this bug to trick Prebid Server into mutating an OpenRTB bid request to contain arbitrary data, bypassing validation.